Blog for netsec, linux, windows, and hacking! New readers: If you want a list of my posts, check out my "hackive" or "popular posts" on the sidebar! If you want to support my blog there is a donate option, but do not feel obliged as this education is free!

Tuesday, October 30, 2012

OverTheWire Wargame "Natas" Level 5 [How-To/Web]

So we cracked Level 4 with some knowledge of HTTP headers and requests, and used a cool little app to help us out. Now we are on Level 5, and after logging it it presents us with a weird page:

Well wait, didn't we just log in? Why does it say we aren't?

Looks like the password didn't authenticate us correctly, OR there's something blocking our authentication even further.

Right away, I knew what to do. What is something in a browser that holds certain information, including login information? Cookies! But how am I going to check out the delicious cookies? Javascript!

Don't worry, the Javascript we'll be using is really easy to understand. I don't even know a lot of JS, but it's easy for me to do.

Below is the Javascript that we can use to view the cookies on the current "document" (webpage):

alert(document.cookie);

But how do we get this to run on the website? We put it into the navigation bar!

What this is doing is running a Javascript script denoted by the "javascript:" and it will pop up an "alert" window with the document cookie.

Looks like a bunch of gibberish... but wait, what's that at the end!

loggedin=0

Well, as we know in binary, 0 is false, and 1 is true, so it's saying we're not logged in! How do we go about changing this? We use Javascript again to exploit a XSS (cross side scripting) attack and change the value of the cookie.

The Javascript this time is:

void(document.cookie="loggedin=1");

Which means that the return type is "void" (returns nothing), and we want to set the cookie in the current document (webpage) with the value "loggedin=0". We know that value already exists in the cookie because we saw it, so it should change it from 0 (not authenticated) to 1 (authenticated).

Now hit enter and lets see what happens.Well, nothing should really happen that you can see, because we had the return type set as "void".What you can do now, is either run the Javascript to view the cookie again, or just refresh to see:

Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles....Latest Sarkari result are available on this page. We have created this page to provide all the latest information about the latest and Upcoming India Results 2020